Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Github reporting a high severity security issue with simple-get

See original GitHub issue

I am getting a high severity security issue from simple-get. As far as I can work out it comes from tedious use of @azure/identity which is currently shown in your package.json as v 1.5.2

npm does show a v2 of this package, although it appears to have breaking changes,

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Reactions:1
  • Comments:7 (3 by maintainers)

github_iconTop GitHub Comments

2reactions
michaelpinnellcommented, Jan 31, 2022

curious as to the timeline of releasing a new version of tedious with this bump in it

1reaction
clshortfusecommented, Feb 2, 2022

FYI, the security vulnerability doesn’t actually effect tedious because it doesn’t actually use keytar. That’s only for @azure/identity when using VisualStudioCodeCredential.

https://github.com/Azure/azure-sdk-for-js/blob/%40azure/identity_1.5.1/sdk/identity/identity/src/credentials/visualStudioCodeCredential.ts#L13

That said, it’s also an optional dependency in @azure/identity, so if you want to go in and remove it manually from package-lock.json, you can. Or you can use this in package.json.

  "overrides": {
    "tedious": {
      "@azure/identity": "^2.0.1"
    }
  },

That said, it seems the vulnerability no longer lists tedious. npm audit now lists:

node_modules/simple-get
  prebuild-install  <=6.1.4
  Depends on vulnerable versions of simple-get
  node_modules/prebuild-install
    keytar  4.2.0 - 4.3.1 || 4.4.1 - 7.0.0 || 7.2.0 - 7.7.0
    Depends on vulnerable versions of prebuild-install
    node_modules/keytar

Which can be resolve with npm audit fix without affecting tedious.

Read more comments on GitHub >

github_iconTop Results From Across the Web

[Security]: Exposure of Sensitive Information in simple-get #1176
I am building using the CLI · I am building using file-based configuration ( netlify.toml ) ...
Read more >
Privately reporting a security vulnerability - GitHub Docs
Some public repositories configure security advisories so that anyone can report security vulnerabilities directly and privately to the maintainers.
Read more >
Exposure of Sensitive Information in simple-get - GitHub
Exposure of Sensitive Information in simple-get. High severity GitHub Reviewed Published on Jan 28 • Updated on Feb 3.
Read more >
[BUG] npm install reports false vulnerability for ... - GitHub
I have searched the existing issues This issue exists in the latest npm ... npm install reports high severity vulnerabilities incorrectly ...
Read more >
Managing code scanning alerts for your repository
From the security view, you can view, fix, or dismiss alerts for potential vulnerabilities or errors in your project's code.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

RequestError: Requests can only be made in the LoggedIn state, not the Connecting state

Next page

How do I remove the "JSON_" key in front of responses that were formatted with "FOR JSON PATH"